Threat of the Week: Picture Zeus
Picture the banking Trojan Zeus hiding in innocuous images — photos of your kids, a kitten, a sunset — and that just may be the worst horror show imaginable.
And it may be coming to a computer near you.
That’s the loud alert from security firm Trusteer, which has sounded an alarm about what it dubs ZeusVM.
And, said Trusteer fraud prevention expert Etay Maor, it allows cyber crooks to hide command and control instructions for Zeus malware in pictures that at first glance seem harmless. At second glance too: “the human eye does not detect that the image has been altered,” Maor said.
Back up a step: Zeus — first identified in 2007 — quickly established itself as the most pernicious banking malware ever. It is estimated to be on over three million Windows-based computers in the U.S. alone. It is not known to run on Apple operating systems, Linux or Chrome OS.
What it is does, much of the time, is absolutely nothing. That is key to its genius. It lies dormant until the infected computer visits a targeted banking or credit union website and then it hops into motion, downloading login credentials such as username and password. Later, those juicy details are transmitted to a criminal who busies himself looting that account.
Also of Interest:
To the financial institution, it looks like the rightful owner has logged in because the credentials are perfect.
Zeus divides into two parts. There’s the actual malware code, usually installed when an unwitting victim clicks on an email link that purports to take him to a legitimate site, but there is a detour where a tiny chunk of evil code is installed.
The other part of Zeus is instructional sets, typically constructed for particular banks or credit unions. These command and control instructions tells the malware what to collect, from which fields, when the victim visits specified banking sites.
Both parts are needed for Zeus to steal.
What is delivered in the images, said Jesper Jurcenoks, director of research at security firm Critical Watch, is not the so-called executable code — the actual Zeus malware Trojan — but the instructional sets.
Since there is no executable it is even harder for security screening tools to tumble to the fact that the picture is bad.
Note, too, there is no need to download the infected image to a victim computer. If the image is on a website, just looking at it in the browser is enough. The instructions will download to your computer,” said Kevin Epstein, a vice president at cyber-security firm Proofpoint.
By the time your eyes have focused on the image, the instructions are on your computer, said Epstein.
What makes ZeusVM important, said various security experts, is that Zeus detection systems had been making progress in blocking delivery of instructional sets because all revolve around particular words such as “bank.”
With ZeusVM, the words are camouflaged in that innocuous image. That’s why the image may let Zeus evade standard detection screens.
Worse news: this may be just the start of an avalanche of bad images and other, ever more devious strategies designed to hide toxic payoffs, said Chad Davis, an expert in what is called steganography with Backbone Security.
Steganography, which goes back centuries, involves hiding information in plain sight and, said Davis, “most security systems don’t look hard at images, which is why this can be so effective.”
Imagine a credit union employee gets an email with a half dozen embedded pictures of a member’s children. Now imagine that those pictures have ZeusVM hidden in them. The nightmare hits full speed if the employee’s computer — maybe one at home — has a dormant version of Zeus on it.
The additional uses of the technique boggle the mind.
“With steganography, you could hide thousands of credit card numbers in a single image. This would pass through almost all data exfiltration screens,” Davis elaborated. “This is a big threat. There may be an infinite number of ways to hide information.”
His firm prediction: “You will see more and more sophisticated attacks, using steganography.”
And that means existing security systems, generally useless against the attack vector today, need to be tweaked, fast, before these kinds of picture-based and other camouflaged attacks multiply.